First of all, this is experimental code for educational purposes! I'm just trying to understand what is possible with JavaScript injection. As web sites move toward AJAX web apps with one formal page load it seems feasible to manipulate entire user bases interactively without actually hacking them -- just the websites. Transient malware in JavaScript... I'm looking at the possiblility of a single, fixed payload that performs actions on-demand... sort of a psuedo-botnet. Here is what I have now but it's pretty far off the mark (but it works)

I'm wondering if there's a simpler way or at least a way to act on data returned by the controlled server without relying on arbitrary timeouts. The javascript keylogger intervals may need tweaking too. Or maybe just a real XHR xD